Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631544 - sys-apps/man: root privilege escalation via "chown -R" in pkg_postinst
Summary: sys-apps/man: root privilege escalation via "chown -R" in pkg_postinst
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B1 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 16:41 UTC by Michael Orlitzky
Modified: 2021-01-25 21:55 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Orlitzky gentoo-dev 2017-09-20 16:41:06 UTC
The sys-apps/man ebuilds call "chown -R" on the live root filesystem in pkg_postinst:

  pkg_postinst() {
      einfo "Forcing sane permissions onto ${ROOT}var/cache/man (Bug #40322)"
      chown -R root:man "${ROOT}"/var/cache/man
      chmod -R g+w "${ROOT}"/var/cache/man

This can be exploited by anyone in the "man" group to gain root privileges. If a hard link is placed in /var/cache/man, then the next time sys-apps/man is upgraded or reinstalled, the "chown -R" will affect the target of the symlink, potentially making root-owned files writable by the "man" group. For example,

  1. emerge sys-apps/man
  2. su -s /bin/sh -c 'ln /etc/passwd /var/cache/man/x' man
  3. emerge sys-apps/man
  4. /etc/passwd is group-writable and root:man
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:16:28 UTC
Unrestricting and reassigning to security@ per bug #705894
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2020-04-03 23:18:24 UTC
unrestricting per bug 705894
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-01-25 21:55:57 UTC
Treecleaned a while ago. Very old bug so will go to noglsa.

commit ce370f012e25ad2eb756cbcaf768bf053161d067
Author: Mike Gilbert <floppym@gentoo.org>
Date:   Sat Mar 7 16:54:44 2020 -0500

    sys-apps/man: remove package

    Closes: https://bugs.gentoo.org/468428
    Closes: https://bugs.gentoo.org/515534
    Closes: https://bugs.gentoo.org/524588
    Closes: https://bugs.gentoo.org/589738
    Closes: https://bugs.gentoo.org/605352
    Closes: https://bugs.gentoo.org/651038
    Closes: https://bugs.gentoo.org/683494
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>